Slim build

Sometimes you don’t need ajax, or you prefer to use one of the many standalone libraries that focus on ajax requests. And often it is simpler to use a combination of CSS and class manipulation for all your web animations. Along with the regular version of jQuery that includes the ajax and effects modules, we’ve released a “slim” version that excludes these modules. All in all, it excludes ajax, effects, and currently deprecated code. The size of jQuery is very rarely a load performance concern these days, but the slim build is about 6k gzipped bytes smaller than the regular version – 23.6k vs 30k. These files are also available in the npm package and on the CDN:

These updates are already available as the current versions on npm and Bower. Information on all the ways to get jQuery is available at https://jquery.com/download/. Public CDNs receive their copies today, please give them a few days to post the files. If you’re anxious to get a quick start, use the files on our CDN until they have a chance to update.

]]>http://blog.jquery.com/2016/09/22/jquery-3-1-1-released/feed/13http://blog.jquery.com/2016/09/22/jquery-3-1-1-released/The jQuery Foundation and Standardshttp://feedproxy.google.com/~r/jquery/~3/PUXbGJ2yzdg/
http://blog.jquery.com/2016/07/27/the-jquery-foundation-and-standards-2/#commentsWed, 27 Jul 2016 15:47:50 +0000http://blog.jquery.com/?p=4146Continue reading →]]>Over the years the jQuery Foundation has worked to give web developers a meaningful voice in the standards process. That’s why we’re excited to help formally establish our involvement in chapters.io, an effort that allows us to work with meetups and supporters around the globe to help developers learn more about recent standards and discuss current proposals.

Our inaugural event will be a regular forum co-organized by one of our own representatives and supported by Pittsburgh, PA’s Code and Supply and Bearded. On Tuesday, August 2nd, Brian Kardell will be presenting at Code and Supply’s regular meetup to talk more about standards and chapters. From there we’ll be organizing the first meeting. If you’re in Pittsburgh and you work on the Web, please come out. If you’re interested in hosting and organizing a meetup in your city, please open an issue on the jQuery Foundation’s standards team GitHub and we’ll try to find someone who can help coordinate.

The jQuery Foundation knows that the Web is at its best when developers are involved, but standards traditionally didn’t include that in their model. Standards were typically driven by browser makers and large companies with a significant stake in the outcome. Sometimes the standard made sense for those groups, but turned out to be less effective when deployed in the harsh reality of the Internet.

In October 2011, Addy Osmani wrote the post announcing the jQuery Standards Team on the blog, naming Yehuda Katz and Paul Irish to help represent the developer community in W3C and TC39. Over the years, numerous jQuery representatives have done a lot to advocate for developers and change the standards process for the better.

Standards have, in fact, improved a lot since then – and jQuery representatives past and present have helped at each step along the way.

In December 2012, we helped elect a slate of candidates to reform the W3C. In 2013, jQuery members like Yehuda Katz, myself (Brian Kardell), Paul Irish and Rick Waldron helped author The Extensible Web Manifesto. This document laid out a new vision for how we could re-focus standards, include the voices of developers and re-imagine a better future. Over the past couple of years, this vision has slowly become a driving force in each of the Web standards bodies. Then, in 2014, it was once again jQuery who called on the W3C’s annual meeting (TPAC) to officially adopt, support and find better ways to involve developers own voices.

The Extensible Web Manifesto is about many of the same principles that Addy expressed in that original post: It encourages standards bodies to give developers a say and create ways to tighten the feedback loop. As Addy eloquently expressed in that original post:

…How often do we all feel our voices, suggestions and ideas are heard by those groups responsible for defining these standards? The reality is that whilst many of us would like to see change, due to time restrictions and lengthy formal processes we’re unable to participate in standards discussions, get involved with writing specifications and contribute to meetings about the future of features. This makes it difficult for web developers to have a voice.

The traditional model of standards involvement does not work at scale. Millions of developers can’t fly to locations around the world for meetings, and a mailing list of millions doesn’t scale either. The aim of Chapters is to provide a conduit between developers and standards that makes it practical for everyone to be involved. If this sounds interesting, take part and get involved! Have your voice be heard!

]]>http://blog.jquery.com/2016/07/27/the-jquery-foundation-and-standards-2/feed/7http://blog.jquery.com/2016/07/27/the-jquery-foundation-and-standards-2/jQuery 3.1.0 Released – No More Silent Errorshttp://feedproxy.google.com/~r/jquery/~3/nrWpxuUTU3Q/
http://blog.jquery.com/2016/07/07/jquery-3-1-0-released-no-more-silent-errors/#commentsThu, 07 Jul 2016 21:50:19 +0000http://blog.jquery.com/?p=4134Continue reading →]]>Not so long ago, we released jQuery 3.0. One of the major features of jQuery 3.0 was a small rewrite of jQuery Deferreds. Specifically, we made them compatible with the Promises/A+ spec. That basically meant that errors had to be silenced and passed as rejection values to rejection handlers (added using deferred.catch()). This had the advantage of preventing Promise handlers from getting blocked up by runtime errors, but the disadvantage of errors being silenced if no rejection handlers were added. While this was the right move for Deferreds, we had also changed jQuery.ready and jQuery.fn.ready to use the new spec-compliant Deferreds under the covers.

Unfortunately, if you were using the usual ways to attach ready handlers (e.g. jQuery(function() {}) and jQuery(document).ready(function() {})), you had no way to add a rejection handler. Plus, it wasn’t obvious that you were in Deferred land. Any runtime exceptions were getting swallowed and lost in space. I think they ended up somewhere near Pluto, which isn’t even a planet anymore! There were workarounds, but this wasn’t acceptable to us.

We immediately set out to fix this, and thus jQuery 3.1.0 was born. No longer will errors be silent! You will see them logged to the console by default. If you’d like to have more control on how these errors are handled, we also added an entry point: jQuery.readyException. In most cases, you won’t need to use it, but any errors that are thrown within a ready handler will get passed to this function should you need it.

The default jQuery.readyException will re-throw the error asynchronously, to avoid stopping execution and log the error to the console. We hope this solves any debugging issues you may have experienced when using jQuery 3.0.

We do not expect this release to have any breaking changes, but if you do encounter bugs in upgrading from the previous version, please let us know.

Download

Slim build

Sometimes you don’t need ajax, or you prefer to use one of the many standalone libraries that focus on ajax requests. And often it is simpler to use a combination of CSS and class manipulation for all your web animations. Along with the regular version of jQuery that includes the ajax and effects modules, we’ve released a “slim” version that excludes these modules. All in all, it excludes ajax, effects, and currently deprecated code. The size of jQuery is very rarely a load performance concern these days, but the slim build is about 6k gzipped bytes smaller than the regular version – 23.6k vs 30k. These files are also available in the npm package and on the CDN:

These updates are already available as the current versions on npm and Bower. Information on all the ways to get jQuery is available at https://jquery.com/download/. Public CDNs receive their copies today, please give them a few days to post the files. If you’re anxious to get a quick start, use the files on our CDN until they have a chance to update.

Many thanks to all of you who participated in this release by testing, reporting bugs, or submitting patches, including Oleg Gaidarenko, Michał Gołębiowski, and the whole jQuery team.

]]>http://blog.jquery.com/2016/07/07/jquery-3-1-0-released-no-more-silent-errors/feed/19http://blog.jquery.com/2016/07/07/jquery-3-1-0-released-no-more-silent-errors/jQuery 3.0 Final Released!http://feedproxy.google.com/~r/jquery/~3/hzOJhUy_srA/
http://blog.jquery.com/2016/06/09/jquery-3-0-final-released/#commentsThu, 09 Jun 2016 19:10:53 +0000http://blog.jquery.com/?p=4086Continue reading →]]>jQuery 3.0 is now released! This version has been in the works since October 2014. We set out to create a slimmer, faster version of jQuery (with backwards compatibility in mind). We’ve removed all of the old IE workarounds and taken advantage of some of the more modern web APIs where it made sense. It is a continuation of the 2.x branch, but with a few breaking changes that we felt were long overdue. While the 1.12 and 2.2 branches will continue to receive critical support patches for a time, they will not get any new features or major revisions. jQuery 3.0 is the future of jQuery. If you need IE6-8 support, you can continue to use the latest 1.12 release.

Despite the 3.0 version number, we anticipate that these releases shouldn’t be too much trouble when it comes to upgrading existing code. Yes, there are a few “breaking changes” that justified the major version bump, but we’re hopeful the breakage doesn’t actually affect that many people.

To assist with upgrading, we have a brand new 3.0 Upgrade Guide. And the jQuery Migrate 3.0 plugin will help you to identify compatibility issues in your code. Your feedback on the changes will help us greatly, so please try it out on your existing code and plugins!

Slim build

Finally, we’ve added something new to this release. Sometimes you don’t need ajax, or you prefer to use one of the many standalone libraries that focus on ajax requests. And often it is simpler to use a combination of CSS and class manipulation for all your web animations. Along with the regular version of jQuery that includes the ajax and effects modules, we’re releasing a “slim” version that excludes these modules. All in all, it excludes ajax, effects, and currently deprecated code. The size of jQuery is very rarely a load performance concern these days, but the slim build is about 6k gzipped bytes smaller than the regular version – 23.6k vs 30k. These files are also available in the npm package and on the CDN:

This build was created with our custom build API, which allows you to exclude or include any modules you like. For more information, have a look at the jQuery README.

Compatibility with jQuery UI and jQuery Mobile

While most things will work, there are a few issues that jQuery UI and jQuery Mobile will be addressing in upcoming releases. If you find an issue, keep in mind that it may already be addressed upstream and using the jQuery Migrate 3.0 plugin should fix it. Expect releases soon.

Major changes

Below are just the highlights of the major new features, improvements, and bug fixes in these releases, you can dig into more detail on the 3.0 Upgrade Guide. A complete list of issues fixed is available on our GitHub bug tracker. If you read the blog post for 3.0.0-rc1, the below features are the same.

jQuery.Deferred is now Promises/A+ compatible

jQuery.Deferred objects have been updated for compatibility with Promises/A+ and ES2015 Promises, verified with the Promises/A+ Compliance Test Suite. This meant we needed some major changes to the .then() method. Legacy behavior can be restored by replacing any use of .then() with the now-deprecated .pipe() method (which has an identical signature).

An exception thrown in a .then() callback now becomes a rejection value. Previously, exceptions bubbled all the way up, aborting callback execution. Any deferreds relying on the resolution of the deferred that threw an exception would never have resolved.

Previously, “first callback” was logged and the error was thrown. All execution was stopped. Neither “second callback” nor “rejection callback” would have been logged. The new, standards-compliant behavior is that you’ll now see “rejection callback” and true logged. err is the rejection value from the first callback.

The resolution state of a Deferred created by .then() is now controlled by its callbacks—exceptions become rejection values and non-thenable returns become fulfillment values. Previously, returns from rejection handlers became rejection values.

Example: async vs sync

Previously, this would log “success callback” then “after binding”. Now, it will log “after binding” and then “success callback”.

Important: while caught exceptions had advantages for in-browser debugging, it is far more declarative (i.e. explicit) to handle them with rejection callbacks. Keep in mind that this places the responsibility on you to always add at least one rejection callback when working with promises. Otherwise, some errors might go unnoticed.

We’ve built a plugin to help in debugging Promises/A+ compatible Deferreds. If you are not seeing enough information about an error on the console to determine its source, check out the jQuery Deferred Reporter Plugin.

jQuery.when has also been updated to accept any thenable object, which includes native Promise objects.

Added .catch() to Deferreds

Error cases don’t silently fail

Perhaps in a profound moment you’ve wondered, “What is the offset of a window?” Then you probably realized that is a crazy question – how can a window even have an offset?

In the past, jQuery has sometimes tried to make cases like this return something rather than having them throw errors. In this particular case of asking for the offset of a window, the answer up to now has been { top: 0, left: 0 } With jQuery 3.0, such cases will throw errors so that crazy requests aren’t silently ignored. Please try out this release and see if there is any code out there depending on jQuery to mask problems with invalid inputs.

Removed deprecated event aliases

Animations now use requestAnimationFrame

On platforms that support the requestAnimationFrame API, which is pretty much everywhere but IE9 and Android<4.4, jQuery will now use that API when performing animations. This should result in animations that are smoother and use less CPU time – and save battery as well on mobile devices.

jQuery tried using requestAnimationFrame a few years back but there were serious compatibility issues with existing code so we had to back it out. We think we’ve beaten most of those issues by suspending animations while a browser tab is out of view. Still, any code that depends on animations to always run in nearly real-time is making an unrealistic assumption.

Massive speedups for some jQuery custom selectors

Thanks to some detective work by Paul Irish at Google, we identified some cases where we could skip a bunch of extra work when custom selectors like :visible are used many times in the same document. That particular case is up to 17 times faster now!

Keep in mind that even with this improvement, selectors like :visible and :hidden can be expensive because they depend on the browser to determine whether elements are actually displaying on the page. That may require, in the worst case, a complete recalculation of CSS styles and page layout! While we don’t discourage their use in most cases, we recommend testing your pages to determine if these selectors are causing performance issues.

This change actually made it into 1.12/2.2, but we wanted to reiterate it for jQuery 3.0.

Traversing

]]>http://blog.jquery.com/2016/06/09/jquery-3-0-final-released/feed/60http://blog.jquery.com/2016/06/09/jquery-3-0-final-released/jQuery 3.0 Release Candidate…Released!http://feedproxy.google.com/~r/jquery/~3/GGQNAPdEuNU/
http://blog.jquery.com/2016/05/20/jquery-3-0-release-candidate-released/#commentsFri, 20 May 2016 19:17:51 +0000http://blog.jquery.com/?p=4073Continue reading →]]>Welcome to the Release Candidate for jQuery 3.0! This is the same code we expect to release as the final version of jQuery 3.0 (pending any major bugs or regressions). When released, jQuery 3.0 will become the only version of jQuery. The 1.12 and 2.2 branches will continue to receive critical support patches for a while, but will not get any new features or major revisions. Note that jQuery 3.0 will not support IE6-8. If you need IE6-8 support, you can continue to use the latest 1.12 release.

Despite the 3.0 version number, we anticipate that these releases shouldn’t be too much trouble when it comes to upgrading existing code. Yes, there are a few “breaking changes” that justified the major version bump, but we’re hopeful the breakage doesn’t actually affect that many people.

To assist with upgrading, we have a brand new 3.0 Upgrade Guide. And the jQuery Migrate 3.0-rc plugin will help you to identify compatibility issues in your code. Your feedback on the changes will help us greatly, so please try it out on your existing code and plugins!

Major changes

Below are just the highlights of the major new features, improvements, and bug fixes in these releases, you can dig into more detail on the 3.0 Upgrade Guide. A complete list of issues fixed is available on our GitHub bug tracker.

jQuery.Deferred is now Promises/A+ compatible

jQuery.Deferred objects have been updated for compatibility with Promises/A+ and ES2015 Promises, verified with the Promises/A+ Compliance Test Suite. This meant we needed some major changes to the .then() method:

An exception thrown in a .then() callback now becomes a rejection value. Previously, exceptions bubbled all the way up, aborting callback execution and irreversibly locking both the parent and child Deferred objects.

The resolution state of a Deferred created by .then() is now controlled by its callbacks—exceptions become rejection values and non-thenable returns become fulfillment values. Previously, returns from rejection handlers became rejection values.

Callbacks are always invoked asynchronously. Previously, they would be called immediately upon binding or resolution, whichever came last.

Consider the following, in which a parent Deferred is rejected and a child callback generates an exception:

As of jQuery 3.0, this will log “parent resolved” before invoking any callback, each child callback will then log “fulfilled bar”, and the grandchildren will be rejected with Error “baz”. In previous versions, this would log “rejected bar” (the child Deferred having been rejected instead of fulfilled) once and then immediately terminate with uncaught Error “baz” (“parent resolved” not being logged and the grandchildren remaining unresolved).

While caught exceptions had advantages for in-browser debugging, it is far more declarative (i.e. explicit) to handle them with rejection callbacks. Keep in mind that this places the responsibility on you to always add at least one rejection callback when working with promises. Otherwise, any errors will go unnoticed.

Legacy behavior can be recovered by replacing use of .then() with the now-deprecated .pipe() method (which has an identical signature).

We’ve also built a plugin to help in debugging Promises/A+ compatible Deferreds. If you are not seeing enough information about an error on the console to determine its source, check out the jQuery Deferred Reporter Plugin.

jQuery.when has also been updated to accept any thenable object, which includes native Promise objects.

Added .catch() to Deferreds

Error cases don’t silently fail

Perhaps in a profound moment you’ve wondered, “What is the offset of a window?” Then you probably realized that is a crazy question – how can a window even have an offset?

In the past, jQuery has sometimes tried to make cases like this return something rather than having them throw errors. In this particular case of asking for the offset of a window, the answer up to now has been { top: 0, left: 0 } With jQuery 3.0, such cases will throw errors so that crazy requests aren’t silently ignored. Please try out this release and see if there is any code out there depending on jQuery to mask problems with invalid inputs.

Removed deprecated event aliases

Animations now use requestAnimationFrame

On platforms that support the requestAnimationFrame API, which is pretty much everywhere but IE9 and Android<4.4, jQuery will now use that API when performing animations. This should result in animations that are smoother and use less CPU time – and save battery as well on mobile devices.

jQuery tried using requestAnimationFrame a few years back but there were serious compatibility issues with existing code so we had to back it out. We think we’ve beaten most of those issues by suspending animations while a browser tab is out of view. Still, any code that depends on animations to always run in nearly real-time is making an unrealistic assumption.

Massive speedups for some jQuery custom selectors

Thanks to some detective work by Paul Irish at Google, we identified some cases where we could skip a bunch of extra work when custom selectors like :visible are used many times in the same document. That particular case is up to 17 times faster now!

Keep in mind that even with this improvement, selectors like :visible and :hidden can be expensive because they depend on the browser to determine whether elements are actually displaying on the page. That may require, in the worst case, a complete recalculation of CSS styles and page layout! While we don’t discourage their use in most cases, we recommend testing your pages to determine if these selectors are causing performance issues.

This change actually made it into 1.12/2.2, but we wanted to reiterate it for jQuery 3.0.

As mentioned above, the Upgrade Guide is now available for anyone ready to try out this release. Aside from being helpful in upgrading, it also lists more of the notable changes.

]]>http://blog.jquery.com/2016/05/20/jquery-3-0-release-candidate-released/feed/19http://blog.jquery.com/2016/05/20/jquery-3-0-release-candidate-released/jQuery 1.12.4 and 2.2.4 Releasedhttp://feedproxy.google.com/~r/jquery/~3/4r-Nr2ddUM4/
http://blog.jquery.com/2016/05/20/jquery-1-12-4-and-2-2-4-released/#commentsFri, 20 May 2016 17:38:08 +0000http://blog.jquery.com/?p=4054Continue reading →]]>jQuery 1.12.4 and 2.2.4 have been released! These are small releases with a couple bug fixes. We fixed a sticky issue for those using the AMD source and a “:visible” selector bug in 1.12.3.

If you need any help upgrading, check out the newest release of the jQuery Migrate plugin. Note that jQuery Migrate 1.4.1 is meant to work with these 1.x and 2.x releases, and not jQuery 3.0. jQuery 3.0 has not been released yet – though we will have an RC for you very soon – but another version of Migrate will be released for jQuery 3.0.

We do not expect this release to have any breaking changes, but if you do encounter bugs in upgrading from the previous version, please let us know.

These updates are already available as the current versions on npm and Bower. Information on all the ways to get jQuery is available at https://jquery.com/download/. Public CDNs receive their copies today, please give them a few days to post the files. If you’re anxious to get a quick start, use the files on our CDN until they have a chance to update.

Many thanks to all of you who participated in this release by testing, reporting bugs, or submitting patches, including Oleg Gaidarenko, Michał Gołębiowski, and the whole jQuery team.

]]>http://blog.jquery.com/2016/05/20/jquery-1-12-4-and-2-2-4-released/feed/2http://blog.jquery.com/2016/05/20/jquery-1-12-4-and-2-2-4-released/jQuery Migrate 1.4.1 released, and the path to jQuery 3.0http://feedproxy.google.com/~r/jquery/~3/pn-imP7pbb0/
http://blog.jquery.com/2016/05/19/jquery-migrate-1-4-1-released-and-the-path-to-jquery-3-0/#commentsFri, 20 May 2016 01:46:49 +0000http://blog.jquery.com/?p=4057Continue reading →]]>Version 1.4.1 of the jQuery Migrate plugin has been released. It has only a few changes but the most important of them fixes a problem with unquoted selectors that seems to be very common in some WordPress themes. In most cases Migrate can automatically fix this problem when it is used with jQuery 1.12.x or 2.2.x, although it may not be able to repair some complex selectors. The good news is that all the cases of unquoted selectors reported in WordPress themes appear to be fixable by this version of Migrate!

As always, we recommend that you use jQuery Migrate as a tool to find and fix issues when upgrading web sites to new versions of jQuery and associated plugins. The non-minified version provides extensive diagnostics on the console. Take advantage of them, we built them for you!

Migrate and jQuery 3.0

jQuery Migrate will be continuing its role of making jQuery upgrades easier. A release candidate for jQuery Migrate 3.0 will be coming soon.

With all the years of accumulated changes, it isn’t possible to have a single version of jQuery Migrate that can support all the changes from jQuery 1.6 (five years ago!) all the way to jQuery 3.0. So, with Migrate 3.0 we recommend this process to upgrade to jQuery 3.0:

If you haven’t already, upgrade to the latest 1.x or 2.x version of jQuery, and the latest 1.x version of jQuery Migrate. (As of today that is jQuery 1.12.3 or jQuery 2.2.3, combined with jQuery Migrate 1.4.1.)

Remove the Migrate 3.x plugin and ensure the page still works properly without it loaded.

Please do use jQuery Migrate 3.0 as you explore this latest release of jQuery, it will greatly simplify finding problems. We want this plugin to be a tool that makes your development life easier. If you find problems you can report them at the issue tracker.

Many thanks to the jQuery core team for their help, and to Github user ekonoval for a very helpful bug report!

]]>http://blog.jquery.com/2016/05/19/jquery-migrate-1-4-1-released-and-the-path-to-jquery-3-0/feed/1http://blog.jquery.com/2016/05/19/jquery-migrate-1-4-1-released-and-the-path-to-jquery-3-0/ESLint Joins the jQuery Foundationhttp://feedproxy.google.com/~r/jquery/~3/KCQ1CKBu06Y/
http://blog.jquery.com/2016/04/19/eslint-joins-the-jquery-foundation/#commentsTue, 19 Apr 2016 16:04:10 +0000http://blog.jquery.com/?p=4049Continue reading →]]>After last week’s announcement that JSCS is merging with ESLint, this week the ESLint team is announcing that they are bringing their project to the jQuery Foundation. We are very excited to be the providers of a long-term, openly governed home for ESLint. We are also looking forward to seeing the outcomes of this new partnership with JSCS.

At the Foundation, we are constantly striving to find ways to make the development experience better for JavaScript developers. We believe both ESLint and JSCS have been leaders on this front. With these two incredibly bright teams coming together at the jQuery Foundation, we expect to see and support accelerated development of ESLint and an easier discovery and decision process for developers looking to bring JavaScript analysis, linting and code style checking to their projects.

Going forward, we hope to continue supporting innovation in the JavaScript space while at the same time, providing a suitable environment for collaboration in all aspects of the JavaScript development world. For more information about why ESLint chose the jQuery Foundation and how this impacts the teams and users involved, check out their announcement on the ESLint blog.

]]>http://blog.jquery.com/2016/04/19/eslint-joins-the-jquery-foundation/feed/2http://blog.jquery.com/2016/04/19/eslint-joins-the-jquery-foundation/jQuery 1.12.3 and 2.2.3 Releasedhttp://feedproxy.google.com/~r/jquery/~3/teLMpmbOBg4/
http://blog.jquery.com/2016/04/05/jquery-1-12-3-and-2-2-3-released/#commentsTue, 05 Apr 2016 19:35:30 +0000http://blog.jquery.com/?p=4039Continue reading →]]>jQuery 1.12.3 and 2.2.3 have been released! These are small releases with a couple bug fixes. There was a minor issue that made the 1.x branch inconsistent with 2.x and a recently-introduced bug in both branches that affected the .load method.

We do not expect this release to have any breaking changes, but if you do encounter bugs in upgrading from the previous version, please let us know.

These updates are already available as the current versions on npm and Bower. Information on all the ways to get jQuery is available at https://jquery.com/download/. Public CDNs receive their copies today, please give them a few days to post the files. If you’re anxious to get a quick start, use the files on our CDN until they have a chance to update.

]]>http://blog.jquery.com/2016/04/05/jquery-1-12-3-and-2-2-3-released/feed/29http://blog.jquery.com/2016/04/05/jquery-1-12-3-and-2-2-3-released/Community Notice on npm dependencies in your projectshttp://feedproxy.google.com/~r/jquery/~3/Op0KMfiVjoQ/
http://blog.jquery.com/2016/03/24/community-notice-on-npm-dependencies-in-your-projects/#commentsThu, 24 Mar 2016 18:45:37 +0000http://blog.jquery.com/?p=4025Continue reading →]]>As most of you are likely aware by now, a potentially dangerous security vulnerability was highlighted recently in the use of npm modules in your projects. In general, the jQuery Foundation still believes this is a safe and very powerful practice and in no way are we saying you should no longer use npm for package management in your JavaScript projects. What we would like to advocate is caution for our community of jQuery plugin developers and users of the many projects in the foundation who distribute packages on npm when installing a package and its dependencies.

A Quick Recap

Rather than rewrite the story, go ahead and check out the full recap and summary from npm on their blog.

The Concern

What happened next is the reason we are writing this post. Azer Koçulu published a number of packages on npm, one of which was the left-pad package which is a simple bit of code that is depended upon by many other packages. After the package was unpublished, many popular projects began having build failures due to the missing package. This is concerning in itself that anyone could unpublish a dependency you have, or a dependency of a dependency of a dependency and cause you or your team real headaches. Shortly after left-pad was unpublished, the npm team decided to un-unpublish it with a new owner to fix the many breaking builds around the internet. What is more concerning though, is the fact that once a package is unpublished, anyone can grab those package names you depend on somewhere in your dependency tree and push new, potentially malicious code into your project. In general, this wouldn’t be too bad because your package likely relies on a version that was unpublished and the new published version would not be pulled in. However, many people when installing dependencies use the commands npm i --save <package-name> or npm i --save-dev <package-name> which by default installs the latest version published at the time preceded by a ^ like ^1.0.0 which tells npm to install any updated version through minor releases the next time dependencies are updated. This means that if you reinstall or update your project and someone has pushed malicious code into a patch (1.0.1) or minor (1.1.0) release from our example, it will automatically be installed in your project.

Recommendations

Our primary recommendation is to be careful. Know what you are installing and know what your dependencies and their dependencies down the tree are installing. You should definitely go through your projects now and see if any of the modules you depend on have been unpublished as well as if any of them are on this list and have recently published new versions that you may want to avoid until you verify it is safe. Though we haven’t spoken with them directly, we are sure the folks at npm, inc. are working hard on a way to address these concerns but until then, be vigilant and keep your projects and plugins safe. We have believed for a while and continue to believe that JavaScript has been and will continue to be one of the strongest options for developing everything from your personal blog to enterprise class applications. With any technology, we will have hiccups along the way but as long as we learn from them and retain that knowledge as we continue on, JavaScript will prevail.